Initial access: Phishing with brand‑impersonation templates delivered via bulletproof hosting/CDNs
 

Credential access: Adversary‑in‑the‑middle (AitM) pages & session cookie theft to bypass MFA (T1539: Steal Web Session Cookie; T1556.006: Modify Authentication Process – MFA bypass).
 

Defense evasion: Fast‑flux domain rotation and domain shadowing across PhaaS infrastructure (T1583.001/003: Acquire infrastructure; T1036: Masquerading).
 

Exfiltration: Valid account reuse to access M365 and downstream SaaS (T1078: Valid Accounts).

 

Contain account takeovers: Enforce step‑up MFA and conditional access for Rubrik Security Cloud (RSC) user roles; monitor for anomalous session reuse.
 

Blast‑radius control: Use Sensitive Data Discovery to scope exfil risk in M365/OneDrive/SharePoint; enable Snapshot Anomaly Detection to flag mass‑access/rename events post‑phish.
 

Recovery posture: Validate immutable snapshots for M365 mail/SharePoint & on‑prem; test least‑privileged service principals and rotate keys regularly.
 

Initial Access: Exploitation of edge appliance vulnerability/reused stolen credentials (VPN) (T1190/T1078)
 

Defense Evasion: MFA bypass/abuse of OTP (T1556.006), living‑off‑the‑land tools
 

Lateral Movement: Port scanning, SMB/Impacket (T1046/T1021.002)
 

Impact: Encrypt/Exfiltrate (T1486/T1041)
 

Encryption prevention: For VPN‑initiated rapid encryption, ensure MFA on Rubrik login & APIs, Ransomware Monitoring & Investigation is tuned for SMB/Impacket spikes, and Immutable and Anomaly‑aware Snapshots with isolation are enforced. 
 

Access management: Use Service Accounts with least privilege and rotate secrets post‑edge‑device remediation. 
 

Resilience assurance: Validate instant recovery runbooks for AD, hypervisors, and critical file shares.

Vulnerability: Unauthenticated RCE in Oracle EBS (CVE‑2025‑61882); Oracle confirmed active exploitation and shipped an out‑of‑band fix.
 

Objective: Data theft and extortion; emails sent to executives claim large ERP dataset exfiltration; actor branding overlaps with Cl0p/FIN11.
 

Initial access: Likely mix of known July‑patched flaws and the zero‑day; follow‑on access via stolen app creds and session tokens.

 

Application‑aware ERP protection: Ensure frequent, immutable backups of EBS DB and application tiers, validate redo/archive log capture, and enable anomaly‑based exfil alerts on DB dumps.
 

Credential blast‑radius control: Store backup secrets out‑of‑band; rotate any app/service creds found in snapshot scans (Sensitive Data Discovery).
 

Recovery: Stage clean‑room (network‑isolated) rebuilds of EBS; rehearse object‑level restores for HR/Finance; enforce MFA on delete/restore.
 

Vulnerability: CVSS 10.0 deserialization → RCE in GoAnywhere MFT (CVE‑2025‑10035).
 

Exploitation: Microsoft attributes active exploitation to Storm‑1175 with Medusa ransomware outcomes; exploitation may require a private key per reporting; exploitation observed pre‑disclosure.
 

Initial access & execution: Unauthenticated request to license servlet leads to command injection/RCE on MFT host.
 

Objectives: Data theft and ransomware deployment via MFT foothold, with the possibility of lateral movement to internal storage/identity infrastructure.
 

Back up the broker: Treat MFT servers as Tier Zero data brokers. Enforce immutable, high‑frequency snapshots, sensitive data discovery, and egress anomaly alerts on staging paths.
 

Least‑privilege restores: Separate backup identities; MFA‑gate delete/restore; isolate restores into clean room; validate object‑level recovery for partner‑exchange shares.